{ "type": "Domain", "indicator": "kommando.live", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/kommando.live", "alexa": "http://www.alexa.com/siteinfo/kommando.live", "indicator": "kommando.live", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4143946895, "indicator": "kommando.live", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a174c09390776ae4501284b", "name": "ACTIVIDAD MALICIOSA | Campa\u00f1a de Cloud Atlas APT: Modificaci\u00f3n de termsrv.dll para M\u00faltiples Sesiones RDP (2025-2026)", "description": "Cloud Atlas, un grupo APT activo desde al menos 2014, ha sido detectado utilizando una t\u00e9cnica sigilosa para mantener acceso persistente a sistemas Windows comprometidos. La campa\u00f1a, identificada por investigadores de Securelist y reportada en mayo de 2026, se intensific\u00f3 durante la segunda mitad de 2025 y principios de 2026, apuntando principalmente a agencias gubernamentales y organizaciones diplom\u00e1ticas en Rusia y Bielorrusia.", "modified": "2026-05-27T19:54:49.658000", "created": "2026-05-27T19:54:49.658000", "tags": [ "tor client", "malicious", "reverse ssh", "socks", "vbs tunnel", "ssh tunnel", "defang", "rutas", "archivo", "malware y", "ta0005", "command", "discovery", "powershell", "modify system", "control", "ta0011", "ta0002", "ta0003", "modificacin", "phishing", "execution", "masquerading", "malware" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "domain": 24, "hostname": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a174bf7082d8eb0e1915415", "name": "ACTIVIDAD MALICIOSA | Campa\u00f1a de Cloud Atlas APT: Modificaci\u00f3n de termsrv.dll para M\u00faltiples Sesiones RDP (2025-2026)", "description": "Cloud Atlas, un grupo APT activo desde al menos 2014, ha sido detectado utilizando una t\u00e9cnica sigilosa para mantener acceso persistente a sistemas Windows comprometidos. La campa\u00f1a, identificada por investigadores de Securelist y reportada en mayo de 2026, se intensific\u00f3 durante la segunda mitad de 2025 y principios de 2026, apuntando principalmente a agencias gubernamentales y organizaciones diplom\u00e1ticas en Rusia y Bielorrusia.", "modified": "2026-05-27T19:54:31.910000", "created": "2026-05-27T19:54:31.910000", "tags": [ "tor client", "malicious", "reverse ssh", "socks", "vbs tunnel", "ssh tunnel", "defang", "rutas", "archivo", "malware y", "ta0005", "command", "discovery", "powershell", "modify system", "control", "ta0011", "ta0002", "ta0003", "modificacin", "phishing", "execution", "masquerading", "malware" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "domain": 24, "hostname": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13b8f328162aab88d30ffa", "name": "IOC - Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.", "modified": "2026-05-25T02:50:27.951000", "created": "2026-05-25T02:50:27.951000", "tags": [ "browser checker", "reversesocks", "malicious ms", "office", "domains", "ips reverse", "sshsocks", "malicious", "ms office" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 68, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 19, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1305db43a2aeb5769dd8a", "name": "Mustard Tempest and the multi-stage malware delivery chain", "description": "The recent activity of the hacker group Cloud Atlas has shown a significant shift in tactics, focusing on leveraging compromised legitimate domains rather than using their infrastructure for malware dissemination. In a targeted campaign against Russian industrial and military organizations, they utilized a decoy DOC file to initiate the download of malware via RTF templates. Subsequent components and payloads were delivered through WebDAV resources on previously legitimate domains, specifically http://atelierdebondy.fr and http://kommando.live, both now compromised.", "modified": "2026-04-04T15:38:05.688000", "created": "2026-04-04T15:38:05.688000", "tags": [ "mustard tempest", "\u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0435 \u043f\u043e", "\u0444\u0438\u0448\u0438\u043d\u0433", "webdav", "pdns", "cms", "tld", "cloud atlas", "cybersecurity", "\u043a\u0438\u0431\u0435\u0440\u0430\u0442\u0430\u043a\u0438", "fakeupdates", "javascript", "atlas", "cloud", "socgholish", "maas", "kommando", "tempest", "ttps", "telegram", "iframe", "hijackloader", "\u0438\u0434\u0435\u043d\u0442\u0438\u0447\u043d\u044b\u0439" ], "references": [ "https://habr.com/ru/companies/pt/articles/1017942/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "E-commerce", "Retail" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 10 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6902174530bc4629de44cb87", "name": "Field test: F6 experts analyze new attacks by Cloud Atlas group.", "description": "The Cloud Atlas group has been increasingly active in 2025, specifically targeting enterprises within the agribusiness and defense sectors in Russia and Belarus. A notable characteristic of these recent attacks has been the alteration of domain zones and the innovative use of phishing email attachments to deliver malware. F6 researchers conducted an analysis of these activities and uncovered various files linked to the group, which were shared on the VirusTotal platform.", "modified": "2025-10-29T13:31:49.959000", "created": "2025-10-29T13:31:49.959000", "tags": [ "loader", "cloud atlas", "hta dropper", "vbshower", "third group", "findings thus", "ttps", "sha1 file", "type", "forum grain" ], "references": [ "https://www.f6.ru/blog/cloud-atlas-field-trials/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 20, "FileHash-SHA256": 2, "domain": 38 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "213 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark", "https://securelist.com/cloud-atlas-2026/119895/", "https://www.f6.ru/blog/cloud-atlas-field-trials/", "Book1.csv", "https://habr.com/ru/companies/pt/articles/1017942/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5." ], "malware_families": [], "industries": [ "E-commerce", "Retail" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a174c09390776ae4501284b", "name": "ACTIVIDAD MALICIOSA | Campa\u00f1a de Cloud Atlas APT: Modificaci\u00f3n de termsrv.dll para M\u00faltiples Sesiones RDP (2025-2026)", "description": "Cloud Atlas, un grupo APT activo desde al menos 2014, ha sido detectado utilizando una t\u00e9cnica sigilosa para mantener acceso persistente a sistemas Windows comprometidos. La campa\u00f1a, identificada por investigadores de Securelist y reportada en mayo de 2026, se intensific\u00f3 durante la segunda mitad de 2025 y principios de 2026, apuntando principalmente a agencias gubernamentales y organizaciones diplom\u00e1ticas en Rusia y Bielorrusia.", "modified": "2026-05-27T19:54:49.658000", "created": "2026-05-27T19:54:49.658000", "tags": [ "tor client", "malicious", "reverse ssh", "socks", "vbs tunnel", "ssh tunnel", "defang", "rutas", "archivo", "malware y", "ta0005", "command", "discovery", "powershell", "modify system", "control", "ta0011", "ta0002", "ta0003", "modificacin", "phishing", "execution", "masquerading", "malware" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "domain": 24, "hostname": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a174bf7082d8eb0e1915415", "name": "ACTIVIDAD MALICIOSA | Campa\u00f1a de Cloud Atlas APT: Modificaci\u00f3n de termsrv.dll para M\u00faltiples Sesiones RDP (2025-2026)", "description": "Cloud Atlas, un grupo APT activo desde al menos 2014, ha sido detectado utilizando una t\u00e9cnica sigilosa para mantener acceso persistente a sistemas Windows comprometidos. La campa\u00f1a, identificada por investigadores de Securelist y reportada en mayo de 2026, se intensific\u00f3 durante la segunda mitad de 2025 y principios de 2026, apuntando principalmente a agencias gubernamentales y organizaciones diplom\u00e1ticas en Rusia y Bielorrusia.", "modified": "2026-05-27T19:54:31.910000", "created": "2026-05-27T19:54:31.910000", "tags": [ "tor client", "malicious", "reverse ssh", "socks", "vbs tunnel", "ssh tunnel", "defang", "rutas", "archivo", "malware y", "ta0005", "command", "discovery", "powershell", "modify system", "control", "ta0011", "ta0002", "ta0003", "modificacin", "phishing", "execution", "masquerading", "malware" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "domain": 24, "hostname": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13b8f328162aab88d30ffa", "name": "IOC - Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.", "modified": "2026-05-25T02:50:27.951000", "created": "2026-05-25T02:50:27.951000", "tags": [ "browser checker", "reversesocks", "malicious ms", "office", "domains", "ips reverse", "sshsocks", "malicious", "ms office" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 68, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 19, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1305db43a2aeb5769dd8a", "name": "Mustard Tempest and the multi-stage malware delivery chain", "description": "The recent activity of the hacker group Cloud Atlas has shown a significant shift in tactics, focusing on leveraging compromised legitimate domains rather than using their infrastructure for malware dissemination. In a targeted campaign against Russian industrial and military organizations, they utilized a decoy DOC file to initiate the download of malware via RTF templates. Subsequent components and payloads were delivered through WebDAV resources on previously legitimate domains, specifically http://atelierdebondy.fr and http://kommando.live, both now compromised.", "modified": "2026-04-04T15:38:05.688000", "created": "2026-04-04T15:38:05.688000", "tags": [ "mustard tempest", "\u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0435 \u043f\u043e", "\u0444\u0438\u0448\u0438\u043d\u0433", "webdav", "pdns", "cms", "tld", "cloud atlas", "cybersecurity", "\u043a\u0438\u0431\u0435\u0440\u0430\u0442\u0430\u043a\u0438", "fakeupdates", "javascript", "atlas", "cloud", "socgholish", "maas", "kommando", "tempest", "ttps", "telegram", "iframe", "hijackloader", "\u0438\u0434\u0435\u043d\u0442\u0438\u0447\u043d\u044b\u0439" ], "references": [ "https://habr.com/ru/companies/pt/articles/1017942/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "E-commerce", "Retail" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 10 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6902174530bc4629de44cb87", "name": "Field test: F6 experts analyze new attacks by Cloud Atlas group.", "description": "The Cloud Atlas group has been increasingly active in 2025, specifically targeting enterprises within the agribusiness and defense sectors in Russia and Belarus. A notable characteristic of these recent attacks has been the alteration of domain zones and the innovative use of phishing email attachments to deliver malware. F6 researchers conducted an analysis of these activities and uncovered various files linked to the group, which were shared on the VirusTotal platform.", "modified": "2025-10-29T13:31:49.959000", "created": "2025-10-29T13:31:49.959000", "tags": [ "loader", "cloud atlas", "hta dropper", "vbshower", "third group", "findings thus", "ttps", "sha1 file", "type", "forum grain" ], "references": [ "https://www.f6.ru/blog/cloud-atlas-field-trials/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 20, "FileHash-SHA256": 2, "domain": 38 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "213 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "kommando.live", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "kommando.live", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173822.2116055 }